Testsuite: operational notes for TFO
[exim.git] / test / confs / 5847
1 # Exim test configuration 5847
2 # OCSP stapling under DANE, client
3
4 SERVER =
5
6 exim_path = EXIM_PATH
7 keep_environment  = ^EXIM_TESTHARNESS_DISABLE_[O]CSPVALIDITYCHECK$
8 host_lookup_order = bydns
9 spool_directory = DIR/spool
10 log_file_path = DIR/spool/log/SERVER%slog
11 gecos_pattern = ""
12 gecos_name = CALLER_NAME
13 chunking_advertise_hosts =
14 primary_hostname = server1.example.com
15
16 .ifdef _HAVE_DMARC
17 dmarc_tld_file =
18 .endif
19
20
21 # ----- Main settings -----
22
23 domainlist local_domains = test.ex : *.test.ex
24
25 .ifndef OPT
26 acl_smtp_rcpt = check_recipient
27 .else
28 acl_smtp_rcpt = accept verify = recipient/callout
29 .endif
30 acl_smtp_data = check_data
31
32 log_selector =  +received_recipients +tls_peerdn +tls_certificate_verified +tls_sni
33 remote_max_parallel = 1
34 queue_run_in_order
35
36 tls_advertise_hosts = *
37
38 CDIR1 = DIR/aux-fixed/exim-ca/example.net/server1.example.net
39 CDIR2 = DIR/aux-fixed/exim-ca/example.com/server1.example.com
40
41 .ifdef CERT
42 tls_certificate = CERT
43 .else
44 tls_certificate = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
45                 {CDIR2/fullchain.pem}\
46                 {CDIR1/fullchain.pem}}
47 .endif
48
49 .ifdef ALLOW
50 tls_privatekey = ALLOW
51 .else
52 tls_privatekey = ${if or {{eq {DETAILS}{ta}} {eq {DETAILS}{ca}} {eq {DETAILS}{ee}}} \
53                 {CDIR2/server1.example.com.unlocked.key}\
54                 {CDIR1/server1.example.net.unlocked.key}}
55 .endif
56
57 tls_ocsp_file = RETURN
58
59
60 # ------ ACL ------
61
62 begin acl
63
64 check_recipient:
65   accept  domains = +local_domains
66   deny    message = relay not permitted
67
68 check_data:
69   warn    condition   = ${if def:h_X-TLS-out:}
70           logwrite = client claims: $h_X-TLS-out:
71   accept
72
73 # ----- Routers -----
74
75 begin routers
76
77 client:
78   driver =      dnslookup
79   condition =   ${if eq {SERVER}{server}{no}{yes}}
80   dnssec_request_domains = *
81   self =        send
82   retry_use_local_part
83   transport =   send_to_server${if eq{$local_part}{norequest}{1} \
84                                 {${if eq{$local_part}{norequire} {2} \
85                                 {3} \
86                              }}}
87   errors_to =   ""
88
89 server:
90   driver = redirect
91   data = :blackhole:
92
93
94 # ----- Transports -----
95
96 begin transports
97
98                         # nostaple
99 send_to_server1:
100   driver =              smtp
101   allow_localhost
102   port =                PORT_D
103   hosts_try_fastopen =  :
104   tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}
105   tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
106   hosts_try_dane =      *
107   hosts_require_tls =   *
108   hosts_request_ocsp =  :
109   headers_add =         X-TLS-out: ocsp status $tls_out_ocsp \
110                 (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}})
111
112                         # norequire
113 send_to_server2:
114   driver =              smtp
115   allow_localhost
116   port =                PORT_D
117   hosts_try_fastopen =  :
118   tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}
119   tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
120   hosts_try_dane =      *
121   hosts_require_tls =   *
122 # note no ocsp mention here
123   headers_add =         X-TLS-out: ocsp status $tls_out_ocsp \
124                 (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}})
125
126 #                       default
127 send_to_server3:
128   driver =              smtp
129   allow_localhost
130   port =                PORT_D
131   hosts_try_fastopen =  :
132   helo_data =           helo.data.changed
133   tls_verify_certificates = ${if eq {DETAILS}{ca} {CDIR2/ca_chain.pem} {}}
134   tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
135   hosts_try_dane =      *
136   hosts_require_tls =   *
137   hosts_require_ocsp =  *
138   headers_add =         X-TLS-out: ocsp status $tls_out_ocsp \
139                 (${listextract {${eval:$tls_out_ocsp+1}} {notreq:notresp:vfynotdone:failed:verified}})
140
141
142 # ----- Retry -----
143
144
145 begin retry
146
147 * * F,5d,1s
148
149
150 # End